ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam
Go to Exam

Exam AZ-104 topic 2 question 1 discussion

Actual exam question from Microsoft's AZ-104
Question #: 1
Topic #: 2
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription named Subscription1 that contains a resource group named RG1.
In RG1, you create an internal load balancer named LB1 and a public load balancer named LB2.
You need to ensure that an administrator named Admin1 can manage LB1 and LB2. The solution must follow the principle of least privilege.
Which role should you assign to Admin1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
The Network Contributor role lets you manage networks, but not access them.
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
by juniorccs at May 19, 2022, 10:05 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
alen995454
Highly Voted 7 months, 1 week ago
The given answer is incorrect: Box 1. Network Contributor on RG1 Box 2. Network Contributor on RG1
upvoted 170 times
SHAHIN_STA
4 months, 2 weeks ago
Wrong ---------why? 1. To add a backend pool to LB1: Network Contributor on LB1 Reason: This role allows managing the Load Balancer's network settings. Assigning it only to LB1 follows the Principle of Least Privilege by limiting access. 2. To add a Health Probe to LB2: Network Contributor on LB2 Reason: This role lets the user create and manage Health Probes. Giving access only to LB2 keeps permissions limited and secure.
upvoted 4 times
...
achu_r_27
4 months, 1 week ago
https://learn.microsoft.com/en-us/answers/questions/1288486/network-contributor explains network contributor can't create backend VMs. So my ans 1)Contributor on LB1 2) Network contributor on LB2
upvoted 3 times
...
Jaiiee
4 months, 2 weeks ago
For LB1 (Internal Load Balancer): Network Contributor Reason: This role grants full permissions to manage all aspects of networking resources, including internal load balancers. For LB2 (Public Load Balancer): Network Contributor Reason: Similar to LB1, managing a public load balancer requires the Network Contributor role. Explanation: The Network Contributor role is the minimum role required to manage load balancers, including configuration changes, backend pool management, and health probes. Assigning it at the resource or resource group level ensures Admin1 can manage these specific resources without excessive permissions to unrelated services.
upvoted 1 times
...
Jaiiee
4 months, 2 weeks ago
Assigning the Network Contributor role at the RG1 level would allow Admin1 to manage all networking resources in the resource group, not just LB1 and LB2. While this may seem convenient, it violates the principle of least privilege, which dictates that a user should only have permissions for the specific resources they need to manage.
upvoted 2 times
...
Load full discussion...
...
Abd99
Highly Voted 7 months, 1 week ago
Network Contributor on LB1 Network Contributor on LB2 Network Contributor role on LB1 and LB2 is the correct answer. With this role user can add create a backend address without actually adding the actual IP addresses. Network contributor can also create and modify health probe. If the user wants to add address to backend pools (eg: IPs from a VNet or entire subnet) then a Network Contributor role is required at the resource group level (or atleast on VNet)
upvoted 53 times
XristophD
2 years, 5 months ago
this answer is not correct, just tested in a lab environment. Network-Contributor needs to be given on the Resource Group in question, not only the LB - for both actions, adding a Health-Probe and adding a Backend-Pool a validation on the RG-level is triggered. Not having the Network Contributor role on RG level will produce the following error mesage for adding a Health Probe: Additional details from the underlying API that might be helpful: The client 'test@<domain.ltd>' with object id '<some-object-id>' does not have authorization to perform action 'Microsoft.Resources/deployments/validate/action' over scope '/subscriptions/<subscriptionId>/resourceGroups/pb-weu-d-testexam/providers/Microsoft.Resources/deployments/HealthProbe-20221125094430' or the scope is invalid. Adding a backend pool fails to create the deployment at all. Both actions work with Network Contributor role on the Resource Group level.
upvoted 32 times
FNog
2 years, 2 months ago
Both Load Balancers already exist, though... Only management rights are requested so, LB1 and LB2.
upvoted 5 times
...
jackill
1 year, 9 months ago
Actually the Network Contributor role (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#network-contributor) has “Microsoft.Resources/deployments/*” among allowed actions, but from the error you reported it appears that the HealthProbe resource is not included in the scope path of the Load Balancer, but it appears to be a resource defined externally from the Load Balancer. Is this the reason of the failure? Is the Backend Pool defined externally too?
upvoted 1 times
...
...
DrMiyu
2 years, 10 months ago
From Microsoft Network Contributor = "Lets you manage networks, but not access to them.". RG contributor would give you right on everything in the RG so too much
upvoted 8 times
...
...
mrmccoy007
Most Recent 1 month, 2 weeks ago
I think what is tripping people up in the first box is whether we are creating or adding an existing backend pool. You need RG1 if you are creating a backend pool but this says adding a backend pool which is a function of the loadbalancer configuration.
upvoted 1 times
...
Mitko_V_Milkov
2 months, 1 week ago
Network Contributor to LB1 and LB2. The statement says that the LBs are already created, and Admin 1 needs these right with leatst priviliges. You are not Admin 1...Admin 1 is another user and giving him "Contributor to the RGs" is too broad.
upvoted 1 times
...
CloudEngJS
5 months ago
Tested and confirmed in a lab, the correct answers are NetworkContributor on RG1
upvoted 1 times
...
jorex535
5 months, 2 weeks ago
Copilot answer: "Both solutions are valid, but the preferable one depends on your specific needs and management preferences: Assigning the Network Contributor role at the resource group level (RG1): Pros: Simplifies role management by granting Admin1 permissions to manage all network-related resources within the resource group, including both LB1 and LB2. Cons: Admin1 will have broader access, which might include other network resources in RG1 that they don’t need to manage. Assigning the Network Contributor role directly to LB1 and LB2: Pros: Follows the principle of least privilege more strictly by limiting Admin1’s access to only the specific load balancers they need to manage. Cons: Requires more granular role assignments, which can be more complex to manage if there are many resources. If you want to keep things simple and Admin1 needs to manage multiple network resources within RG1, assigning the role at the resource group level is preferable. However, if you want to strictly limit Admin1’s access to only the load balancers, assigning the role directly to LB1 and LB2 is the better choice."
upvoted 1 times
...
bacana
6 months ago
Network contributor to LB is the latest permission, but not work in real life. You need be network contributor to RG1
upvoted 1 times
...
zeuge
6 months ago
According to the response from Microsoft, which specifies the permissions of the 'Network Contributor' role in the resource group LB, the correct answer, in my opinion, looks like this: Box 1. Network Contributor on LB1 Box 2. Network Contributor on RG1
upvoted 1 times
zeuge
6 months ago
Network Contributor on LB can't add a health probe.
upvoted 1 times
...
...
Dankho
6 months, 1 week ago
I'm glad the discussion basically has every possibility.
upvoted 7 times
...
happpieee
6 months, 1 week ago
Network Contributor on LB1 and LB2 (to either add backend pool or health probe). Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/networking#microsoftnetwork
upvoted 1 times
...
happpieee
6 months, 1 week ago
Network Contributor for LB1 (add backend pool) Network Contributor for LB2 (add healthprobe) Source: https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/networking#microsoftnetwork
upvoted 1 times
...
rikininetysix
7 months, 1 week ago
The correct answer would be - 1. Network Contributor on RG1 2. Network Contributor on LB2 The "Network Contributor" role provides permissions to manage network resources such as virtual networks, subnets, network interfaces, and IP addresses. While it does grant certain permissions related to load balancers, such as managing load balancing rules and probes, it does not provide the necessary permissions to add or modify backend VMs associated with the load balancer. To add backend VMs to a load balancer, the user would require additional permissions, specifically the "Virtual Machine Contributor" role or higher. So, the Network Contributor on RG1 option would be the only viable option for the first answer. Link - https://learn.microsoft.com/en-us/answers/questions/1288486/network-contributor
upvoted 4 times
...
Alandt
7 months, 1 week ago
Come on guys, how is it possible that these questions are so confusing that the community can't even reach to a consensus for the right answer. So what's the correct answer here? Network Contributor on RG1 Network Contributor on RG1 Or Network Contributor on LB1 Network Contributor on LB2
upvoted 3 times
nmshrwt
1 year, 3 months ago
It is neither Ans is for health probe assign network contributor on RG level for backend pool assign owner on LB if not owner contributor on RG can do it
upvoted 1 times
...
...
[Removed]
7 months, 2 weeks ago
WRONG - Network Contributor on RG1 - Network Contributor on RG1
upvoted 1 times
...
[Removed]
7 months, 3 weeks ago
wrong 1st. Network Contributor on RG1 2nd. Network Contributor on RG1
upvoted 1 times
...
salihGamar
8 months, 2 weeks ago
Yes, you can assign Admin1 the "Network Contributor" role directly to LB1 and LB2 instead of the entire resource group. This would follow the principle of least privilege more closely by limiting Admin1's permissions specifically to those two load balancers. So the Answer is correct! .. Network Contributor on LB1 & Network Contributor on LB2 ..
upvoted 2 times
...
divzrajshekar123
9 months ago
Correct answer is : box 1: 3 - network contributor access on RG1 box2: 3 - network contributor access on RG1 if we give network contributor access on LB level then we wont be able to access the Lb resource. hence network contributor access on resource level is required. I found out this after long lab session. hope its helps.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago